Remove RBAC console template

The console is changing to discover if the template service broker is
running by looking at the service classes on the client. This means the
console no longer needs the RBAC template. It also no longer needs to
manually trigger a rollout after the template service broker is
installed or removed.

roles/openshift_web_console/defaults/main.yml

@@ -2,7 +2,6 @@
 openshift_web_console_nodeselector: {"node-role.kubernetes.io/master":"true"}
 
 __console_template_file: "console-template.yaml"
-__console_rbac_file: "console-rbac-template.yaml"
 __console_config_file: "console-config.yaml"
 
 openshift_web_console_image_dict:

roles/openshift_web_console/files/console-rbac-template.yaml

@@ -1,38 +0,0 @@
-apiVersion: template.openshift.io/v1
-kind: Template
-metadata:
-  name: web-console-server-rbac
-parameters:
-- name: NAMESPACE
-  # This namespace cannot be changed. Only `openshift-web-console` is supported.
-  value: openshift-web-console
-objects:
-
-
-# allow grant powers to the webconsole server for cluster inspection
-- apiVersion: rbac.authorization.k8s.io/v1beta1
-  kind: ClusterRole
-  metadata:
-    name: system:openshift:web-console-server
-  rules:
-  - apiGroups:
-    - "servicecatalog.k8s.io"
-    resources:
-    - clusterservicebrokers
-    verbs:
-    - get
-    - list
-    - watch
-
-# Grant the service account for the web console
-- apiVersion: rbac.authorization.k8s.io/v1beta1
-  kind: ClusterRoleBinding
-  metadata:
-    name: system:openshift:web-console-server
-  roleRef:
-    kind: ClusterRole
-    name: system:openshift:web-console-server
-  subjects:
-  - kind: ServiceAccount
-    namespace: ${NAMESPACE}
-    name: webconsole

roles/openshift_web_console/tasks/install.yml

@@ -23,7 +23,6 @@
     dest: "{{ mktemp.stdout }}/{{ item }}"
   with_items:
   - "{{ __console_template_file }}"
-  - "{{ __console_rbac_file }}"
   - "{{ __console_config_file }}"
 
 # Check if an existing webconsole-config config map exists. If so, use those
@@ -115,11 +114,6 @@
     src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
   register: updated_console_config
 
-- name: Reconcile with the web console RBAC file
-  shell: >
-    {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_rbac_file }}" --config={{ mktemp.stdout }}/admin.kubeconfig
-    | {{ openshift_client_binary }} auth reconcile --config={{ mktemp.stdout }}/admin.kubeconfig -f -
-
 - name: Apply the web console template file
   shell: >
     {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_template_file }}"

roles/openshift_web_console/tasks/rollout_console.yml

@@ -1,20 +0,0 @@
----
-- name: Check if console deployment exists
-  oc_obj:
-    kind: deployments
-    name: webconsole
-    namespace: openshift-web-console
-    state: list
-  register: console_deployment
-
-# There's currently no command to trigger a rollout for a k8s deployment
-# without changing the pod spec. Add an annotation to force a rollout.
-- name: Rollout updated web console deployment
-  oc_edit:
-    kind: deployments
-    name: webconsole
-    namespace: openshift-web-console
-    separator: '#'
-    content:
-      spec#template#metadata#annotations#installer-triggered-rollout: "{{ ansible_date_time.iso8601_micro }}"
-  when: console_deployment.results.results.0 | length > 0

roles/template_service_broker/tasks/install.yml

@@ -8,9 +8,3 @@
     openshift_master_ensure_nodes_service: Template Service Broker
 
 - include_tasks: deploy.yml
-
-- name: Rollout console so it discovers the template service broker is installed
-  include_role:
-    name: openshift_web_console
-    tasks_from: rollout_console.yml
-  when: openshift_web_console_install | default(true) | bool

roles/template_service_broker/tasks/remove.yml

@@ -36,9 +36,3 @@
     state: absent
     name: "{{ mktemp.stdout }}"
   changed_when: False
-
-- name: Rollout console so it discovers the template service broker is removed
-  include_role:
-    name: openshift_web_console
-    tasks_from: rollout_console.yml
-  when: openshift_web_console_install | default(true) | bool